Haystack redux

Jacob Appelbaum jacob at appelbaum.net
Wed Sep 15 19:08:02 EDT 2010 

On 09/15/2010 11:48 AM, Adam Fields wrote:
> On Wed, Sep 15, 2010 at 03:16:34AM -0700, Jacob Appelbaum wrote:
> [...]
>> What Steve has written is mostly true - though I was not working alone,
>> we did it in an afternoon. It took quite a bit of effort to get Haystack
>> to take this seriously. Eventually, there was an internal mutiny because
>> of a serious technical disconnect between the author Daniel Colascione
>> and the supposed author, Austin Heap. Daniel has been a stand up guy
>> about the issues discovered and he really the problem space that the
>> tool created.
>>
>> Sadly, most of the issues discovered do not have easy fixes - this
>> includes even discussing some of the very simple but serious design
>> flaws discovered. This has to be the worst disclosure issue that I've
>> ever had to ponder - generally, I'm worried about being sued by some
>> mega corp for speaking some factual information to their users. In this
>> case, I guess the failure mode for being open about details is ... much
>> worse for those affected. :-(
>>
>> An interesting unintended consequence of the original media storm is
>> that no one in the media enjoys being played; it seems that now most of
>> the original players are lining up to ask hard questions. It may be too
>> little and too late, frankly. I suppose it's better than nothing but it
>> sure is a great lesson in popular media journalism failures.
> 
> I'm wondering if someone could shed a little light on how this service
> acquired any real users in the first place, and whether anyone thinks
> that anyone in danger of death-should-the-service-be-compromised is
> actually (still) using it.

The media hype? The fact that many Iranians were reaching out to people
in "the West" during the summer of 2009?

> 
> I find it hard to believe that even the most uninformed dissidents
> would be using an untested, unaudited, _beta_, __foreign__ new service
> for anything. Is there any reason to believe otherwise? My first guess
> would have been that it was a government-sponsored honeypot, and I bet
> they're far more suspicious than I am.
> 

I guess the dissidents that you work with are all savvy, never tricked,
know how to make solid security evaluations, and so on? Generally
speaking... that is not my experience at all.

All the best,
Jacob

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list